Blog

Some might say a good decision is based on knowledge and not on numbers. 

During a penetration test, the Schellman team often works with development teams, administrators, risk and compliance professionals and information security personnel; however, the initial point of contact for a penetration test may be an individual that isn’t any of those. More and more, someone from the product or procurement team may have the responsibility—or shared responsibility—of having a penetration test performed. While these individuals may understand a timeline for a specific task, they likely do not have full visibility into the entire project. Such circumstances, among others, can trigger one of the biggest challenges frequently seen in planning pen tests—timing.

In the battle for top tech talent, the wrong hire can be devastating. So do your tech team the favor of watching out for these warning signs before offering the job. It’s a hiring worst-case scenario: A job candidate aces every aspect of the interview process, but after joining the company, they can’t get the job done. Or perhaps worse, the new coworker is capable but so disruptive the rest of the team suffers.

In 2018, the year of artificial intelligence, internet of things, blockchain, and big data, it is safe to say more and more companies are emerging to be technology companies. In the last year, a lot of attention has been placed on how automotive companies such as Ford and General Motors are positioning themselves as technology companies.

Hiring managers and recruiters bemoan a soft skills gap in IT, and recent data backs up the sentiment. A LinkedIn report conducted with consulting firm Capgemini found that more employers say their organization lacks soft skills (nearly 60 percent) than hard digital skills (51 percent).

This article details the prevalence of risk acceptance within organizations, why IT security departments may be putting too much confidence in their controls, and how excessive risk acceptance is often cultural. Originally published in the April 2018 issue of the ISSA Journal

Though vulnerability scanning is only one of the control requirements in FedRAMP, it is actually one of the most frequent pitfalls in terms of impact to an authorization to operate (ATO), as FedRAMP requirements expect cloud service providers (CSPs) to have a mature vulnerability management program. A CSP needs to have the right people, processes and technologies in place, and must successfully demonstrate maturity for all three. CSPs that have an easier time with the vulnerability scanning requirements follow a similar approach, which can be best articulated by breaking down the expectations into three stages.

Web application scanning, a type of dynamic application security testing (DAST), is an important component for organizations looking to provide a secure online offering to their clients.